Opened 3 years ago

Last modified 4 months ago

#6361 enhancement new

twisted.internet.ssl.PrivateCertificate.options() is limited by allowing only authorities

Reported by: hynek Owned by:
Priority: normal Milestone:
Component: core Keywords:
Cc: hynek, mithrandi Branch:
Author:

Description

Work on #6286 unveiled that PrivateCertificate.options is (unnecessarily) greatly hampered by only allowing a list of certificate authorities.

If we allowed passing in the same arguments as into CertificateOptions, lots of code would be simpler and also more idiomatic.

Change History (6)

comment:1 Changed 3 years ago by hynek

  • Cc hynek added
  • Summary changed from PrivateCertificate.options is limited by allowing only authorities to twisted.internet.ssl.PrivateCertificate.options() is limited by allowing only authorities

comment:2 Changed 3 years ago by glyph

I really would like to see the description for this ticket refined.

The idea behind .options() is that it's an abstract interface, that provides a sensible set of options for TLS connections.

OpenSSLCertificateOptions, by contrast, is a pile of OpenSSL-specific implementation stuff in support of that interface. In particular it takes X509 instances rather than Certificate or PrivateCertificate instances to its constructor.

Now, obviously, the interface is not complete, but as we expand it, please don't add every single option, expressed in the bizarre, demented style that OpenSSL requires, requiring application code to import constants and classes from OpenSSL themselves. It's supposed to be an abstraction layer.

comment:3 Changed 2 years ago by hynek

Okay, what are we gonna add how? :)

It’s currently useless for servers because it lacks certs/keys & DHE params and it’s useless for clients because it doesn’t support trustedRoot.

comment:4 follow-up: Changed 4 months ago by mithrandi

extraCertChain is also missing, although I guess this belongs in the PrivateCertificate or Certificate object itself?

comment:5 Changed 4 months ago by mithrandi

  • Cc mithrandi added

comment:6 in reply to: ↑ 4 Changed 4 months ago by glyph

Replying to mithrandi:

extraCertChain is also missing, although I guess this belongs in the PrivateCertificate or Certificate object itself?

PrivateCertificate is just a certificate + key; perhaps we should have a higher-level object like CertificateChain that supports all the relevant options.

At this point I'm wondering if .options is just not worth rehabilitating; we can deprecate it, it's been impossible to run a good TLS server with it for years.

Note: See TracTickets for help on using tickets.